Unbreakable API’s: Best Practices for Application Security Testing

APIs are doors into your data and applications, so pausing to include security is just as important as securing web applications. In this presentation we will discuss best practices to ensure that APIs have full security coverage, and how teams can find and fix vulnerabilities before problems arise.

We’ll also cover the inflection points for security assessment in the software development life cycle (SDLC) as they may vary depending on whether the development team is enabling APIs for legacy applications or building new API-first applications. Join us to learn best practices on when to:

-Perform DAST of APIs for dynamic scanning, and create a plan for remediating/mitigating discovered vulnerabilities
-Perform SCA & SAST analysis for the API implementation code within the DevOps process
-Use secure design patterns within the enterprise application architecture
-Implement a robust feedback loop within the SDLC to act on the findings of various scans

Finely-tuned DevOps provides many benefits to an enterprise, including speed of development, improved deployment frequency, better collaboration between Development and Operations teams, lower failure rates of new releases, and faster times to market. But DevOps software development also presents a fundamental challenge to traditional software security practices. Application security often runs at the end of the software life cycle (SLC), and isn’t in DevOps’ hands. The issue then becomes: how to secure DevOps and make it DevSecOps?

As application development within Agile environments has increased, the need to bring security into the DevOps equation and enable developers has also grown. Software development is much quicker in an Agile environment. Without proper security or software composition analysis, the breadth of undetected security vulnerabilities can grow farther and faster.

With more entryways vulnerable to attack (due to more functionality being introduced in applications), the frequency of attacks has also increased. Thus, the term DevSecOps looks to integrate and open cross-functional organizational structures / communications to include application security throughout the SLC and post-release lifespan. Just as DevOps sought to lower the failure rate of the product, DevSecOps seeks to lower the number of vulnerabilities and increase efficiency for detection of the time-to-fix rate.

Today’s applications touch millions if not billions of people on a daily basis. With virtually every business using applications to grow, they are critical to companies’ success—yet the vulnerabilities and risks associated with them continue to increase exponentially.

To help educate the market on avoiding breaches of this nature, the experts at the WhiteHat Security Threat Research Center (TRC) have compiled a Top 10 Application Security Vulnerabilities for Developers, detailing the most common web exploits used by malicious attackers during the past 12 months.

Join Mark Rogan from the WhiteHat Security Threat Research Center and Calvin Nguyen, Director of Product Management, as they discuss the top vulnerabilities and give valuable prevention tips for enterprises to implement.

As organizations strive to transform themselves for the digital economy, application development is moving further into the spotlight - and right behind it is application security.

So in 2019, AppSec can make or break a business. Instead of being overwhelmed by this pressure, there are tools and processes on the market that can help your application both meet and exceed business and security demands.

From infrastructure-as-code models to API security and DevOps, learn from this panel of global experts how to harness knowledge and accelerate application release cycles, improve security and transform your business.

APIs are doors into your data and applications, so pausing to include security is just as important as securing web applications. In this presentation we will discuss best practices to ensure that APIs have full security coverage, and how teams can find and fix vulnerabilities before problems arise.

We’ll also cover the inflection points for security assessment in the software development life cycle (SDLC) as they may vary depending on whether the development team is enabling APIs for legacy applications or building new API-first applications. Join us to learn best practices on when to:

-Perform DAST of APIs for dynamic scanning, and create a plan for remediating/mitigating discovered vulnerabilities
-Perform SCA & SAST analysis for the API implementation code within the DevOps process
-Use secure design patterns within the enterprise application architecture
-Implement a robust feedback loop within the SDLC to act on the findings of various scans

For every 100KLOC, a monolithic application will have an average of 39 vulnerabilities whereas a microservice application will have an average of 180 vulnerabilities. You read that right. According to the data gathered from WhiteHat Security’s 2018 Stats Report, the transition of enterprise monolithic applications to distributed microservices architectures is actually increasing the overall average of total vulnerabilities. But why? Why is it that we seemingly continue to make the same mistakes again and again? And what does this say about the security of microservices architectures, or the developers that build them? The journey to a microservices architecture generally involves the decomposition of an already existing monolith application, wherein previous security assumptions and considerations are often questioned and sometimes invalidated.

Join Eric Sheridan, Chief Scientist at WhiteHat Security, for a dive into the security trends of microservice architectures. Participants of this talk will learn…
•Why we are seeing an increase in the number of vulnerabilities with the migration to microservices
•The most common vulnerability classes facing applications of microservices architectures
•Strategies that can be used to more readily find and fix vulnerabilities earlier in the development lifecycle

Setu Kulkarni, Vice President Strategy and Business Development, WhiteHat Security

Findings from the 2018 Application Security Statistics Report on the evolution of the secure software lifecycle. WhiteHat partnered with Coalfire and NowSecure to produce the report.

- How to measure the effectiveness of your application security investment to help mitigate overall business risk
- How to defend your applications by evaluating how your vulnerability levels and remediation times compare with industry benchmarks
- How to develop software more securely by partnering with the security team to adopt tools and methodologies compliant with your software development lifecycle (SDLC)

Presented by Setu Kulkarni, Vice President Strategy and Business Development, WhiteHat Security

Applications are our crown jewels. They run our businesses, power grid, military defenses, personal & business banking, social networks, hospitals, and entertainment, and yet are they secure? No, they are most vulnerable, and tend to remain so!

In this session, we’ll take a look at data which provides an analysis of tens of thousands of applications from 2017-2018 from approximately 900 companies both enterprise and SMB. The analysis includes global brands and local businesses, hundreds of thousands of application security tests and checks, along with an examination of code and behavior.

Presenters:
Joseph Feiman, PhD, Chief Strategy Officer
Joseph Feiman is the chief strategy officer at WhiteHat Security, a leading application security provider. Feiman is responsible for WhiteHat’s overarching business strategy and vision, to further its success in empowering secure development and operations. Previously, Feiman worked for 18 years at Gartner, where he was a Gartner research vice president and fellow.

Setu Kulkarni, Vice President, Product & Corporate Strategy
As the Vice President of Product & Corporate Strategy, Setu is responsible for product vision, strategy, and direction at WhiteHat Security. Setu joined the WhiteHat leadership team in early 2016 after a 10+ year stint at TIBCO Software Inc., where he most recently led product management and strategy for the Operational Intelligence product portfolio.

From development to DevOps to SecOps, and from day to day management to the Board of Directors, application security analytics are a necessity to drive action across your organization. We’ll discuss a crawl, walk, run approach including basic reporting, vulnerability management, CI/CD integration, and using analytics tools. You’ll learn how to mine your application security data to manage your biggest cybersecurity threat vector.

About the Presenter:
Setu Kulkarni is the VP, Strategy & Business Development for WhiteHat Security. Setu joined the WhiteHat leadership team in early 2016 after a 10+ year stint at TIBCO Software Inc., where he most recently led product management and strategy for the Operational Intelligence product portfolio. During his many years at TIBCO, he led a variety of strategic and operational initiatives – building the SOA platform for the Integration and BPM businesses, building the business launch platform for TIBCO’s cloud business, mainstreaming the LogLogic acquisition, and developing the next-gen ITOA offering. He earned an engineering degree in computer science and engineering from Visvesvaraya Technological University, India.

IoT is made up of Microservices and APIs, making them quick to implement and churn out into production. But are they secure? We will look at the challenges a user of the IoT should be aware of, and what checklists can a programmer use for best practices in IoT development.

In the past year, we’ve seen a litany of ransomware attacks – Petya, WannaCry, Bad Rabbit and many others. Everything from small businesses to large scale cyber-attacks against large financial and healthcare companies have been impacted.

The issue with Ransomware isn’t new. This type of exploit has existed for some time, leaving systems across the world inaccessible with messages that no one wants to see: ‘pay me or else’. Ransomware is an issue but one that can be avoided if companies take the right approach.

Will this trend continue in 2018? Join Jessica Marie, Security Evangelist at WhiteHat Security to learn the ways you can protect your organization against ransomware.

Register for this webinar to learn:
• What to look for in ransomware attacks
• Training recommendations for both development and security organizations
• The importance of system backups
• How to test your web applications for vulnerabilities that would allow outsiders to upload malicious files

GDPR is coming and anyone doing business with the EU will need a Data Officer to determine their data strategy.

With a third of all attacks coming in against web applications, mapping the data flows through those applications is required to satisfy due diligence in securing your customer data, EU citizen data, and is a good exercise in general to protect your own intellectual property.

In this talk, Jeannie Warner, Security Manager and Kurt Risley, Security Architect at WhiteHat Security will offer best application security practices for data in the following categories:

- Data Classification - how secure does it need to be?
- Data Categorization - which regulations will apply?
- Data Rules - what kinds of repeatable policies should be applied?
- Data Mapping - identify the flow from database to applications to client apps via APIs
- Data Securing - showing the best practices for securing the applications by use cases

Join us to understand what happens when someone logs into a web application. Mike King, Technical Escalations Engineer for WhiteHat Security, will guide you through common access scenarios and vulnerabilities.

By the end of this educational webinar, you’ll understand:
-How web applications authenticate and authorize users
-What can go wrong in the process
-How to determine if you have a problem on your hands

2016 saw an all-time high of 4,100+ data breaches and over 4.2 billion records compromised. The bad news is that security attacks and incidents continue piling up in 2017. The good news is that you can take steps to protect your organization from experiencing the same fate of those exploited companies that make front-page news.

•Why brand-name companies like Equifax and T-Mobile were compromised
•How hackers gain access to organizations’ networks and most valuable assets
•What your organization can do to identify vulnerabilities and avoid the same fate

Register now to hear expert insights on the biggest threats of 2017 and best practices for protecting your organization going forward.

Ryan O’Leary is the Chief Security Research Officer of the Threat Research Center and Technical Support at WhiteHat Security. He joined WhiteHat Security as an ethical hacker in 2007 and has since developed a breadth of experience finding and exploiting web application vulnerabilities and configuring automated tools for testing. Ryan manages a team of over 150 security engineers, based in three locations over two continents. He is also responsible for overseeing the delivery of WhiteHat Sentinel, which services over 10,000 customer websites. Under Ryan’s leadership, the team has built a one-of-a-kind database that combines details of more than 26M vulnerability patterns with proprietary algorithms to assess the threat level.

SQL injection attacks enable attackers to tamper with, delete or steal sensitive data from corporate databases. In this webinar, Zach Jones, senior manager for static code analysis from WhiteHat Security’s Threat Research Center, will discuss SQL injection attacks and how to best defend against them.

In this webinar, we will:
- Provide examples of vulnerable code
- Discuss data boundary concepts between input and target interpreters
- Explain the differences and advantages of using parameterized queries versus custom stored procedures
- Discuss the pitfalls of using selective parameterization or trying to sanitize inputs by escaping or encoding them manually

WhiteHat Security has extensive experience working with customers to identify and fix the latest web application vulnerabilities. Join us to gain a deeper understanding of common web application vulnerabilities, get expert technical advice on defensive tactics, and learn best practices to safeguard your apps from being exploited.

The Internet of Things (IoT) is a strategic direction for 56% of the enterprises in the next two to three years*. For most people, the term IoT conjures up a wealth of opportunities and a vision of a hyper-connected world, but with great innovation comes a greater risk.

- How do you keep ahead of the cyber threats surrounding these connected devices?
- What are some of the biggest security challenges and how to address them?
- How do you ensure the security of the sensitive data generated by your IoT devices?

Join us in this webinar to learn about how you can combine IoT innovation with security strategies to protect the core and surrounding systems of IoT devices, including the web and mobile applications, servers, databases, and their integrations with other systems.
* IDC Global 2016 Survey

Presenter Bio
As the Vice President of Product Management, Setu is responsible for product vision, strategy, and direction at WhiteHat Security. Setu joins the WhiteHat leadership team after a 10+ year stint at TIBCO Software Inc., where he most recently led product management and strategy for the Operational Intelligence product portfolio.

Financial services industry has always had to deal with security risks and expensive data breaches because of regulatory fines and higher than average rate of lost business and customers. But with today’s continuously evolving cyber threat landscape, keeping up with regulatory compliance alone is not enough. Per the 2016 Verizon Data Breach Investigations Report, web application attacks are the Achilles heel for security, responsible for 82% of data breaches in the financial services sector. Join this session to learn more about cybercrime trends in financial services, and how a continuous application security assessment program can help financial service organizations improve their security posture and mitigate risk.

In this webinar, we will discuss:
• Current threat landscape for financial services organizations
• Vulnerability statistics for financial services sector
• How continuous application security testing can help your security and risk posture

About the Presenter:
Ryan O’Leary is Vice President of the Threat Research Center and Technical Support at WhiteHat Security, the specialized team of web application security experts. Ryan joined WhiteHat Security as an ethical hacker in 2007 and has since developed a breadth of experience finding and exploiting web application vulnerabilities and configuring automated tools for testing. Ryan swiftly rose through the ranks to become the Vice President of WhiteHat Security’s Threat Research Center in 2016. Reporting directly to CEO Craig Hinkley, Ryan now manages a team of over 150 security engineers. Under Ryan’s leadership, the team has built a one-of-a-kind database that combines details of more than 26 million vulnerability patterns with proprietary algorithms to assess the threat level.

Mobile devices are everywhere throughout the workplace, and outside the workplace, but mobile phone security as a discipline has been focused on parts of the solution such as WiFi connections, anti-virus and spyware. Mobile security apps are everywhere - but what are they securing? What is the actual security impact to your organization of insecure mobile app usage? For meaningful risk management, you need to understand both the qualitative and quantitative values of mobile security risk.

Join WhiteHat Security and our technology partner NowSecure for a discussion on leaky apps, and how they can expose private and sensitive data - but more, what kind of data can be exposed.

We’ll review how insecure mobile applications can create incidents, and how they impact the enterprise or organization. Finally, we will introduce you to the different ways WhiteHat can help you build mobile security into your larger DevSecOps and vulnerability management programs.

About the Presenters:
Andrew is the Co-founder and CEO of NowSecure. As a former CIO, Andrew has unique insight into solving enterprise mobile security problems and is driven by NowSecure’s mission to advance mobile security worldwide. He is responsible for the vision, strategy and growth of the company.

Setu Kulkarni is the VP of Product Management at WhiteHat Security. Setu is responsible for product vision, strategy, and direction at WhiteHat Security. Setu joins the WhiteHat leadership team after a 10+ year stint at TIBCO Software Inc., where he most recently led product management and strategy for the Operational Intelligence product portfolio.

With cyber attacks on the rise, how can we apply our knowledge about attackers into better protecting our organizations? There are some key personas when it comes to who is attacking web sites. Everyone from teenagers to national agencies are hacking organizations via their websites now – 40% of the time. Each attacker has their own motivation and unique skills that they use to pull off quite different attacks. The type of persona most likely to attack your organization gives insight into the methods and suggested remedies.

Join this session to learn:
- How to identify your cyber attacker
- How the identity of the attacker can guide crafting a security policy geared towards that threat
- Best practices & use cases

About the Presenter:
Ryan O’Leary is VP of the Threat Research Center and Technical Support at WhiteHat Security, the specialized team of web application security experts. Ryan joined WhiteHat Security as an ethical hacker in 2007. Reporting directly to CEO Craig Hinkley, Ryan now manages a team of over 150 security engineers, based in three locations over two continents. He is also responsible for overseeing the delivery of WhiteHat Sentinel, which services over 10,000 customer websites. Under Ryan’s leadership, the team has built a one-of-a-kind database that combines details of more than 26 million vulnerability patterns with proprietary algorithms to assess the threat level.

Seamlessly integrating AppSec testing into CI processes earlier in the SDLC has become the holy grail of DevOps and security teams. Achieving this means apps are not only more secure and can be deployed more quickly, but companies are also able to reap substantial cost and resource savings.

Join Mike Goldgof, WhiteHat Security’s VP of Marketing, to learn about best practices and what’s needed to fit security testing into highly-automated Agile DevOps processes, that are transforming the development world and speed of delivery dictated by businesses today.

The Internet of Things (IoT) is rapidly changing the way we look at everything. The advantages we gain with smart devices are driving us to new levels of convenience in healthcare, manufacturing and automation, but IoT also presents many security challenges. So how do we efficiently manage thousands of devices? How do we effectively deal with mutual authentication? How do we know what is trustworthy and what is not? And most of all, how do we do this at a massive scale? This panel will explore the IoT challenges that we face and the solutions that we can implement today for a more secure future.

The audience will learn:
- How and why IoT is different than our classic, traditional IT environments
- The current state of security and privacy in IoT and how it will impact individuals, homes, buildings, cities, states, and nations
- What the future holds for security and privacy in our ever-evolving IoT world
- The need for standards
- Medical devices
- Home automation
- Connected cars
- Smart cities

WhiteHat Security has honed its 17 years of experience in the application security space to provide developers with the tools and services they need to write and deliver the most secure software at the speed of business. The award-winning WhiteHat Application Security Platform, which has been featured on the Gartner Magic Quadrant for Application Security Testing for the last five years, is empowering true DevSecOps by continuously assessing the risk for organizations’ software assets and helping them to embed security throughout–and beyond– the software life cycle (SLC). The company is based in San Jose, California, with regional offices across the U.S. and Europe. For more information on WhiteHat Security, please visit www.whitehatsec.com, and follow us on Twitter, LinkedInand Facebook.